Dnamic Detection and Protection Mechanism against Distributed Denial of Service Attacks using Fuzz Logic M. Parameswari and Dr. S. Sukumaran Associate Professor, Department of Computer Science Erode Arts & Science College, Erode-638 009, Tamilnadu, INDIA Abstract DDoS (Distributed Denial of Service) is the attack to pollute the network. The attacker creates a large amount of packet to the particular sstem. The packets are sending b using the compromised computers. It is an effort to make a device or network resource engaged to its intended users. This paper describes training the DDoS attack detection sstem to recognize possible attacks on a sstem. The objective of this paper is to develop practical and scalable mechanisms to identif the DoS or DDoS attack sources. This paper includes implementation of traceback sstem in Single ISP domain, Multi ISP domain, and stateless Internet architecture and enhancing securit features. The proposed sstem is offered to trace-back method based on entrop variations and fuzz logic method. The sstem works on different between the normal data flow and attacking data flow. It has a number of advantages such as avoid packet pollution, no need to change the current routing software. Through empirical evaluation it is confirmed that the detection can be completed within improved real time limits and that b using fuzz estimators instead of crisp statistical descriptors it can be avoided the shortcomings posed b hpothesis on the model distribution of the traffic. Keword: DDoS Attacks, ICMP (Internet Control Message Protocol), CP (Cumulative path), Probabilistic Packet Marking (PPM) and Deterministic Packet Marking (DPM) INTRODUCTION Distributed Denial of Service attacks in the internet to pollute the network environment. The attackers generate a huge amount of requests to victims through compromised computers (zombies), with the aim of dening normal service. DDoS attacks are targeted to identif the victim resources, such as bandwidth, memor, and buffer. The attacker needs to attack the victim attacker to establish a large number of request send to the victim. So the attacker needs a multiple sstem to produce a request. The attacker discovers a large number of vulnerable sstems in the same network. These discoverable sstems are called as Zombies. The attacker installs the new program to the discovered sstem for attacking the victim in the network. The vulnerable sstem is identified b out dated antivirus using sstem or secure less sstem [3]. IP traceback is a name given to an method for reliabl determining the origin of a packet on the Internet. Due to the trusting nature of the IP protocol, the source IP address of a packet is not authenticated. As a result, the source address in an IP packet can be falsified (IP address spoofing) allowing for Denial of Service attacks or one-wa attacks (where the response from the victim host is so well known that return packets need not be received to continue the attack). The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical abilit for identifing sources of attacks and instituting protection measures for the Internet. Most existing approaches to this problem have been tailored toward Denial of Service attack detection. Such solutions require high numbers of packets to converge on the attack path(s). The network does not have effective method to locate the attacker such as hash Based IP Trace back, algebraic approach to IP trace back and Enhanced ICMP trace back as Cumulative Path. The attacker used this advantage and attacks the network. The IP traceback scheme is presentl used to identif the attackers. IP traceback schemes are considered successful if the can identif the zombies from which the DDoS attack packets entered the internet and that trace back scheme is easil identified the attacker. In the existing sstem two tpes of packet marking are used viz, Probabilistic Packet Marking (PPM) and Deterministic Packet Marking (DPM). Both of these packets marking require router b the marking to the individual packets. The PPM packet marking can onl operate in a small network. So, the detector or protector does not trace out the attacker. The network is ver small it does not identif the attacker location, when that person present awa from the network and the method is called DPM. The packet marking is require to all routers are updated b the packet marking technique. This DPM onl 25 spare bits is available to the single IP packet with the scalabilit of the DPM is ver huge problem [22]. IP traceback mechanism should be independent of the packet pollution and different tpes of attack patterns. DPM mechanism poses the extraordinar challenge on storage for packet. Once the attack started is found the different between the attack flow and the normal flow. In this IP traceback mechanism the entrop variation or different flows of the network and there is no packet marking are used. It avoids the problem of the packet marking method. The packets are passing through the router into flows, which are defined b the router where the packet came from the destination address of the packet. During the non attack period the router observes the normal flows. When the DDoS attacks occur the victim send request to the upstream routers, then the router identifies the attack flow path and the process was repeated again because to find the number of attackers in the network. PACKET MARKING SYSTEM In packet marking method traceback data is inserted into the IP packet b the routers on the path to the destination node. 5332
The packets are marked as the traverse routers through the internet either probabilisticall or deterministicall. Packet marking information is stored in the identification field of the IP header. The routers mark the packet with either the router s IP address or the edges of the path that the packet traversed to reach the Destination / Victim. The victim uses the information in the marked packets to trace an attack back to its source. For the first alternative, marking packets with the router's IP address, analsis shows that in order to gain the correct attack path with 95% accurac as man as 294, 000 packets are required. The second approach, edge marking, requires that the two nodes that make up an edge mark the path with their IP addresses along with the distance between them. This approach would require more state information in each packet than simple node marking but would converge much faster. Tpes of packet marking are Probabilistic Packet Marking (PPM) and Deterministic Packet Marking DPM. Deterministic Packet Marking approach focuses on determining the source of the attack packet and is not concerned with the actual path traversed b the attack packet, while the Probabilistic Packet Marking approach focuses on reconstructing the entire attack path through which the malicious packets have traversed. The DPM mark the spare space with initial router information. The receiver can identif the source location of the packets when it has sufficient information of the marks. The big problem in DPM is changing the current routing software. The problem of the DPM is due to the requirement of large number of packet reconstruction. Ever routers mark the own IP address of the packets header. The node sampling algorithm is used to record the router address of the packet. There large number of marked packets can do the reconstruction of the attack path. The edge sampling algorithm is used to mark the start router address to the end router address of the attack path and the distance is fixed in between the two ends [24]. It provider based deterministic packet marking models-to characterize DDoS attack streams-used to make filtering near the victim more effective. The proposed FUZZY BASED DETECTION mechanism has a rate control scheme that protects destination domains b limiting the amount of traffic during an attack, while leaving a large percentage of legitimate traffic unaffected. The above features enable service providers to offer enhanced securit protection against DDoS attacks as a value-added service to their customers, hence offer positive incentives for them to deplo the proposed models. The Scheme proposes and evaluates two providers-based packet marking models: Source-End Provider Marking and Source and Destination-End Provider Marking. Both models are based on deterministic packet marking, and aim to give the victim s provider stable and secure information about the path incoming traffic streams. The Scheme also proposes a rate control sstem that protects destination domains b limiting the amount of traffic during an attack, while leaving a large percentage of legitimate traffic unaffected. These facilitate providers to offer increased protection to their customers as a value-added service, improving the available throughput for legitimate users during such attacks. Path Identifier (PI) a packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identif packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing. In this approach an identifier is embedded in each packet based on the router path that a packet traverses. The victim needs onl to classif a single packet as malicious to be able to filter out all subsequent packets with the same marking. What makes this possible is that our packet marking is a perpacket deterministic mechanism: each packet traveling along the same path carries the same identifier. This allows the victim to take a proactive role in defending against a DDoS attack b using the Pi mark to filter out packets matching the attackers identifiers on a per packet basis. Most marking schemes are probabilistic in nature, in which the victim needs to collect a large number of packets to reconstruct the path. In this approach, a path identifier fits within a single packet so that the victim can immediatel filter traffic after receiving just one attack packet. The scheme is extremel lightweight, both on the routers for marking, and on the victims for decoding. The router marking is also robust to the presence of legac routers and shows strong incremental deploment properties. TRACE BACK APPROACH USING FUZZY SYSTEM The proposed method is better than the PPM and DPM packet marking, because there is no packet marking technique and no need to change the current routing software. The proposed mechanism as follows: Scalabilit (the size of attack network that can be handled) Storage (the storage space on routers or victims to conduct IP traceback) Traceback time (the overall time we need from the start time until the end of tracing process) The operation workload (the operations on possible routers or victims). Variation The different tpes of data flows are used to find the attack. The difference between the normal flow and attacking flow is called as Entrop Variation. The process as follows: Difference between the non-attack and attack period is called Entrop Variation. It is true that the network traffic for a router ma dnamicall change a lot from peak to off-peak service times. However, this kind of change lasts for a relativel long time interval, e.g., at least at the level of minutes. These changes can be brought town into seconds. The number of attack packets is at least an order of magnitude higher than that of normal flows. During a DDoS flooding attack, the number of attack packets increases dramaticall and the attack packets are generated b thousands of zombies. The number of attack packets is much higher than that of legitimate flows. Therefore, this assumption is reasonable. Of course, for the non-flooding attacks. Onl one DDoS attack is ongoing at a given time. It could be true that a number of attacks are ongoing 5333
concurrentl in the Internet, the attack paths ma overlap as well, but we onl consider the one attack scenario to make it simple and clear. The number of flows for a given router is stable at both the attack cases and nonattack cases. In this DDOS detection and protection sstem two tpes of algorithm, When the entrop variation is differed the trace back process is started. The special flow monitoring algorithm is running at the nonattack period, accumulating information from normal network flows, and progressing the mean and the standard variation of flows. The progressing suspends when a DDoS attack is ongoing. Once a DDoS attack has been confirmed b an of the existing DDoS detection algorithms, then the victim starts the IP traceback algorithm. This continuousl monitoring the http request from the internet. When the request is coming, it identifies the IP address and stored in cache and start counting the request from the same IP address and also maintain the timer. More than 20 requests within one second from same IP address is considered as DDOS attack. Then the IP address is blocked for certain time periods prevention that means the suspicious IP address is blocked for certain time periods. That s like a monitoring process are ver effective to monitoring the network and this monitoring is used to find out the attacker easil. The monitoring process is used to pushback when the attack is occurring. The traceback process is find out the attacker from the network when the attack traffic is present in the network. Initiate the local parameter X, U, D. U={ } be set of upstream routers, D={ } be set a destination address of the packet and the victim is V. The attack flow as, =<, i=1, 2,..n. That s like a data flow as, For i=1 to n { Calculate H(F\ ) If H(F\ )> Upstream router of to set A else break; end if; end for; } The sample algorithm for tracing the source of the attack can be as follows: FixVal:= allocated_mamor(g.tot_space); For (i := 0; i <= FixVal ; i :=i+1) For (j := 0; j <= FixVal ; j :=i+1) Routerval[i][j] := 0; Flag:=0; Routerval [ ][ ] := G.subspace; For(i := 0; i <= FixVal ; i :=i+1) For(j := 0; j <= FixVal ; j :=i+1) If(Routerval[i][j]==space_A) Else If(Routerval[i][j]==space_B) Else If(Routerval[i][j]==space_C) Else If(Routerval[i][j]==space_D) Else Return Path_set; Break; Fuzz Clustering Model Further the proposed work has implemented the Fuzz based clustering technique for a detection sstem to enhance the purit. The fundamental insufficienc of clustering is used to initiate the value of K, a number which computes the count of clusters to be formed. This classification is done b appling the fuzz clustering technique to deal with two segregations as normal and abnormal, in which K is assigned to two values. B using this feature of DDoS attack as a criterion, this work considers the partition model. It can consider the volume of attack packets in such a wa that it is less than that of normal packets. The investigation shows the inherent nature of these attack packets and provides a clear picture of the factors that signif the abnormalit. Subsequent to these partitions being made, ever field in the normal and abnormal clusters is investigated to recognize its characteristics. This knowledge helps to distinguish the regular from the irregular ones. Fuzz based clustering technique is measured for the minimization of the following objective function, with respect to Q, a fuzz partition of the data traffic and to R, a set of L prototpes as shown in Equation 1. l d o D (Q, R) = Q N - R z 1 1 where Q o is a membership of N in the cluster D between 0 and 1; where o is an real number greater than 1; N is the Y th d-dimensional measured input data; DD is the centre of fuzz cluster Y ; fe = N R is the z th point and t h cluster centre are the measured the Euclidean distance and X (1, ) is a weighting exponent. There are two necessar conditions for C to reach a minimum as shown in Equations (2) and (3). DD Y = Σ Q O N z (2) N = Σ Q o (3) 1 where, z = 1, 2, 3 Q (4) d fe 2. fe x 1 l 1 l (1) 5334
R l z 2 l z Q 2 o Q N o The measures in this iteration will stop when max, z Q Q < ε, where ε is a termination measure between 0 and 1. The maximum number of iteration routines shown in Equation 4.4 can be used as a termination measure. An illustration of the pseudo-code and the flow chart for the aforementioned process are shown in Fig. 5. Fuzz based Dnamic Detection Sstem for DDoS Initialize Increment = 1 WHILE Increment < Total iterations FOR each DataPoint Determine N ENDFOR FOR each N Calculate Cluster Center DD = Σ Q o N z ENDFOR FOR each Q Compute D l d D (Q, R) = Σ Σ Q o N -R z=1=1 ENDFOR IF D >ThresholdLevel Determine new N ENDIF Add 1 to Increment ENDWHILE PERFORMANCE RESULT AND DISCUSSION This stud helps to anale the packet information and filter it based on the available information. It feeds the information in the packet onl once when it enters into the first router in the network. The computational burden and comparison of scalabilit with different techniques is shown below in Figure 1. Figure 1: Trace Capabilit Vs Number of routers As a result, the fuzz based detection technique stands best among the various other existing techniques. It utilizes the available path information for tracing the source sstem and (5) hence the traceabilit is improved. It enables the router to reduce the overhead in packet forwarding and hence the tracing is eas. The performance comparison based on the number of routers traced is shown in Figure 1. The result shows that the performance of the other existing techniques reduces as the number of routers, when the packet crossed increases. This detection sstem principle is capable of handling large scale attacks with several advantages as follows: Eas to detect the attacker with the single packet information Does not involve complex calculation Reduces the router overhead and network traffic. Eas to mitigate and prevent further attacks Figure 2: Detection rate Vs No. Of nodes The performance graph as in Figure 21 shows that the neurofuzz based technique detection sstem has achieved the higher response time for the rate of detection both in the wired and wireless networks. The proposed neuro-fuzz based clustering technique detection sstem is higher in performance than the traceback mechanism for DDoS attack detection method. The improvement of the response time is 20 to 35% of the wireless network of the detection in the network traffic data. Table 1: Comparsion of performance of DDoS attack detection Scheme Memor Computati Scalabi Time No. of requirem onal lit Require packet ents at Burden ment to s routers Tracebac requir k ed for traceb ack PPM ID-Based NIL High Good Fair High PPM for IP Tracebac k ERPPM NIL High Good Medium Low NIL Medium Good Fair Low DPM Flexible Determin istic Packet 5335
Marking A path NIL Light Good Fair Fair identifica tion detection mechanis m Other A Real NIL Medium Good Fair Fair Appro time ach traceback for DDoS Attack PPM with Fuzz Fuzz based detection of DDoS Attack NIL Light Good Negligib le Each packet can be traced Due to the totall different nature of fuzz based detection and other well known traceback schemes, involving packet marking or packet logging techniques, quantitative comparison of the various schemes is not possible. Hence in this section, we first present a qualitative comparison between fuzz based detection and other well known traceback schemes. Success of an traceback scheme is determined b four ke factors-computational overhead involved for packet marking, memor requirement for packet logging, scalabilit of the proposed scheme and the need for cooperation between other domains. The overhead of the fuzz based detection presented here is ver light; The fuzz based detection scheme is also scalable. No Cooperation between different ISPs is required. Furthermore unlike PPM and SPIE, the scheme can be used to mitigate the effect of the attack while the attack is ragging on. CONCLUSION In this paper a new method was proposed an effective and efficient of time and accurac based detection mechanism IP traceback scheme against DDoS attacks based on entrop variations using fuzz logic. It is a fundamentall different traceback mechanism from the currentl adopted packet marking strategies. Because of the vulnerabilit of the Internet, the packet marking mechanism suffers a number of serious drawbacks: lack of scalabilit; vulnerabilit to packet pollution from hackers and extraordinar challenge on storage space at victims or intermediate routers. On the other hand, the proposed method needs no marking on packets, and therefore, avoids the inherent shortcomings of packet marking mechanisms. It emplos the features that are out of the control of hackers to conduct IP traceback. Store the short-term information of flow entrop variations at routers. Once a DDoS attack has been identified b the victim via detection algorithms, the victim then initiates the pushback tracing procedure. The traceback algorithm first identifies its upstream routers where the attack flows came from, and then submits the traceback requests to the related upstream routers. This procedure continues until the most far awa zombies are identified or when it reaches the discrimination limitation of DDoS attack flows. Compared with previous works, the proposed strateg can traceback fast in larger scale attack networks. It can traceback to the most far awa zombies within 25 seconds in the worst case under the condition of thousands of zombies. Moreover, the proposed model can work as an independent software module with current routing software. This makes it a feasible and eas to be implemented solution for the current Internet. REFERENCES [1] "IP Flow-Based Technolog, arbor networks, http://www. arbornetworks.com, 2010. [2] C. Patrikakis, M. Masikos, and O. Zouraraki, Distributed Denial of Service Attacks, The Internet Protocol J., vol. 7, no. 4, pp. 13-35, 2004. [3] T. Peng, C. Leckie, and K. Ramamohanarao, Surve of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surves, vol. 39, no. 1, p. 3, 2007. [4] Y. Kim et al., PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denialof-Service Attacks, IEEE Trans. Dependable and Secure Computing, vol. 3, no. 2, pp. 141-155, Apr.- June 2006. [5] H. Wang, C. Jin, and K.G. Shin, Defense against Spoofed IP Traffic Using Hop-Count Filtering, IEEE/ACM Trans. Networking, vol. 15, no. 1, pp. 40-53, Feb. 2007. [6] Y. Chen and K. Hwang, Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analsis, J. Parallel and Distributed Computing, vol. 66, pp. 1137-1151, 2006. [7] K. Lu et al., Robust and Efficient Detection of DDoS Attacks for Large-Scale Internet, Computer Networks, vol. 51, no. 9, pp. 5036-5056, 2007. [8] R.R. Kompella, S. Singh, and G. Varghese, On Scalable Attack Detection in the Network, IEEE/ACM Trans. Networking, vol. 15, no. 1, pp. 14-25, Feb. 2007. [9] P.E. Ares et al., ALPi: A DDoS Defense Sstem for High-Speed Networks, IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 1864-1876, Oct. 2006. [10] R. Chen, J. Park, and R. Marchan, A Divide-and- Conquer Strateg for Thwarting Distributed Denialof-Service Attacks, IEEE Trans. Parallel and Distributed Sstems, vol. 18, no. 5, pp. 577-588, Ma 2007. [11] A. Yaar, A. Perrig, and D. Song, StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense, IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 1853-1863, Oct. 2006. [12] A. Bremler-Bar and H. Lev, Spoofing Prevention Method, Proc. IEEE INFOCOM, pp. 536-547, 2005. [13] J. Xu and W. Lee, Sustaining Availabilit of Web Services under Distributed Denial of Services 5336
Attacks, IEEE Trans. Computers, vol. 52, no. 2, pp. 195-208, Feb. 2003. [14] W. Feng, E. Kaiser, and A. Luu, Design and Implementation of Network Puzzles, Proc. IEEE INFOCOM, pp. 2372-2382, 2005. [15] X. Yang, D. Wetherall, and T. Anderson, A DoS- Limiting Network Architecture, Proc. ACM SIGCOMM, pp. 241-252, 2005. [16] Z. Duan, X. Yuan, and J. Chandrashekar, Controlling IP Spoofing through Interdomain Packet Filters, IEEE Trans. Dependable and Secure Computing, vol. 5, no. 1, pp. 22-36, Jan.-Mar. 2007. [17] F. Soldo, A. Markopoulou, and K. Argraki, Optimal Filtering of Source Address Prefixes: Models and Algorithms, Proc. IEEE INFOCOM, 2009. [18] A. El-Ataw et al., Adaptive Earl Packet Filtering for Protecting Firewalls against DoS Attacks, Proc. IEEE INFOCOM, 2009. [19] T. Baba and S. Matsuda, Tracing Network Attacks to Their Sources, IEEE Internet Computing, vol. 6, no. 2, pp. 20-26, Mar. 2002. [20] A. Belenk and N. Ansari, On IP Traceback, IEEE Comm. Magazine, pp. 142-153, Jul 2003. [21] B. Al-Duwairi and M. Govindarasu, Novel Hbrid Schemes Emploing Packet Marking and Logging for IP Traceback, IEEE Trans. Parallel and Distributed Sstems, vol. 17, no. 5, pp. 403-418, Ma 2006. [22] M.T. Goodrich, Probabilistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Trans. Networking, vol. 16, no. 1, pp. 15-24, Feb. 2008. [23] T.K.T. Law, J.C.S. Lui, and D.K.Y. Yau, You Can Run, But You Can t Hide: An Effective Statistical Methodolog to Traceback DDoS Attackers, IEEE Trans. Parallel and Distributed Sstems, vol. 16, no. 9, pp. 799-813, Sept. 2005. [24] S. Savage, Network Support for IP Traceback, IEEE/ACM Trans. Networking, vol. 9, no. 3, pp. 226-237, June 2001. [25] A. Belenk and N. Ansari, IP Traceback with Deterministic Packet Marking, IEEE Comm. Letters, vol. 7, no. 4, pp. 162-164, Apr. 2003. [26] K.Saravanan and Dr.R.Asokan, Distributed Denial of Service Attack (DDoS )Detection Attacks, in the Proceedings of International Journal of Computer Science and Information Technolog, Vol.1, No.5, Dec.2011. 5337